1openshift_app_selinux(8) SELinux Policy openshift_app openshift_app_selinux(8)
2
3
4
6 openshift_app_selinux - Security Enhanced Linux Policy for the open‐
7 shift_app processes
8
10 Security-Enhanced Linux secures the openshift_app processes via flexi‐
11 ble mandatory access control.
12
13 The openshift_app processes execute with the openshift_app_t SELinux
14 type. You can check if you have these processes running by executing
15 the ps command with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep openshift_app_t
20
21
22
24 SELinux defines process types (domains) for each process running on the
25 system
26
27 You can see the context of a process using the -Z option to ps
28
29 Policy governs the access confined processes have to files. SELinux
30 openshift_app policy is very flexible allowing users to setup their
31 openshift_app processes in as secure a method as possible.
32
33 The following process types are defined for openshift_app:
34
35 openshift_app_t
36
37 Note: semanage permissive -a openshift_app_t can be used to make the
38 process type openshift_app_t permissive. SELinux does not deny access
39 to permissive process types, but the AVC (SELinux denials) messages are
40 still generated.
41
42
44 The SELinux process type openshift_app_t is an MCS (Multi Category
45 Security) constrained type. Sometimes this separation is referred to
46 as sVirt. These types are usually used for securing multi-tenant envi‐
47 ronments, such as virtualization, containers or separation of users.
48 The tools used to launch MCS types, pick out a different MCS label for
49 each process group.
50
51 For example one process might be launched with open‐
52 shift_app_t:s0:c1,c2, and another process launched with open‐
53 shift_app_t:s0:c3,c4. The SELinux kernel only allows these processes
54 can only write to content with a matching MCS label, or a MCS Label of
55 s0. A process running with the MCS level of s0:c1,c2 is not allowed to
56 write to content with the MCS label of s0:c3,c4
57
58
60 SELinux policy is customizable based on least access required. open‐
61 shift_app policy is extremely flexible and has several booleans that
62 allow you to manipulate the policy and run openshift_app with the
63 tightest access possible.
64
65
66
67 If you want to allow users to resolve user passwd entries directly from
68 ldap rather then using a sssd server, you must turn on the authlo‐
69 gin_nsswitch_use_ldap boolean. Disabled by default.
70
71 setsebool -P authlogin_nsswitch_use_ldap 1
72
73
74
75 If you want to deny any process from ptracing or debugging any other
76 processes, you must turn on the deny_ptrace boolean. Enabled by
77 default.
78
79 setsebool -P deny_ptrace 1
80
81
82
83 If you want to allow all domains to execute in fips_mode, you must turn
84 on the fips_mode boolean. Enabled by default.
85
86 setsebool -P fips_mode 1
87
88
89
90 If you want to allow confined applications to run with kerberos, you
91 must turn on the kerberos_enabled boolean. Enabled by default.
92
93 setsebool -P kerberos_enabled 1
94
95
96
97 If you want to allow system to run with NIS, you must turn on the
98 nis_enabled boolean. Disabled by default.
99
100 setsebool -P nis_enabled 1
101
102
103
104 If you want to allow confined applications to use nscd shared memory,
105 you must turn on the nscd_use_shm boolean. Enabled by default.
106
107 setsebool -P nscd_use_shm 1
108
109
110
112 The SELinux process type openshift_app_t can manage files labeled with
113 the following file types. The paths listed are the default paths for
114 these file types. Note the processes UID still need to have DAC per‐
115 missions.
116
117 anon_inodefs_t
118
119
120 hugetlbfs_t
121
122 /dev/hugepages
123 /usr/lib/udev/devices/hugepages
124
125 nfs_t
126
127
128 openshift_rw_file_t
129
130 /var/lib/openshift/.*/data(/.*)?
131 /var/lib/stickshift/.*/data(/.*)?
132
133 openshift_tmp_t
134
135 /var/lib/openshift/.*/.tmp(/.*)?
136 /var/lib/openshift/.*/.sandbox(/.*)?
137 /var/lib/stickshift/.*/.tmp(/.*)?
138 /var/lib/stickshift/.*/.sandbox(/.*)?
139
140 openshift_tmpfs_t
141
142
143 security_t
144
145 /selinux
146
147
149 semanage fcontext can also be used to manipulate default file context
150 mappings.
151
152 semanage permissive can also be used to manipulate whether or not a
153 process type is permissive.
154
155 semanage module can also be used to enable/disable/install/remove pol‐
156 icy modules.
157
158 semanage boolean can also be used to manipulate the booleans
159
160
161 system-config-selinux is a GUI tool available to customize SELinux pol‐
162 icy settings.
163
164
166 This manual page was auto-generated using sepolicy manpage .
167
168
170 selinux(8), openshift_app(8), semanage(8), restorecon(8), chcon(1),
171 sepolicy(8), setsebool(8)
172
173
174
175openshift_app 19-10-08 openshift_app_selinux(8)